Anonymous participation authority management system

ABSTRACT

A system allowing a participant to participate anonymously in a plurality of sessions but to be detected that the same participant has participated more than once in the same session is disclosed. The participant authorizes individual data using secret information depending on session-related information. The reception subsystem determines whether received data is anonymous participation data authorized by the participant subsystem and further determines whether anonymous signatures of arbitrary two pieces of anonymous participation data are signed by an identical participant subsystem. The anonymous signature may include data generated by raising a session-dependent base to a power dependent on the secret information.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a participation authority managementsystem for use in electronic access, electronic bidding, electroniclottery, electronic petition, electronic voting or the like.

2. Description of the Prior Art

Conventionally, an anonymous participation system using blind signaturehas been studied. Blind signature refers to a system in which a signersigns without seeing the signed contents. For example, in the case ofelectronic voting, data involved in the participation is the votingcontents of the voter himself/herself.

Thus, electronic voting can be conducted as follows. First, aparticipant subsystem (presenter) authorized to vote proves before amanager subsystem that the presenter is authorized to vote and then hasthe manager subsystem sign the voting contents by section of blindsignature.

A voting statement with the signature of this manager subsystem affixedis sent to a verification subsystem. The verification subsystem regardsthe voting statement submitted with the signature of the managersubsystem as a voting statement sent by an eligible voter To prevent anidentical participant subsystem from participating in an identicalvoting session two or more times, it is determined that voting datawhich varies from one participant subsystem to another should be usedand that the manager subsystem should issue a blind signature to eachparticipant subsystem only once.

In the case where voting contents with the same signature are sent, thismakes it possible to determine that the same participant subsystem hasattempted to vote twice. Since blind signature is used, even the managersubsystem cannot know to which participant subsystem the votingstatement with the signature has been issued, which makes it possible tomaintain anonymity.

Likewise, an electronic voting system using anonymous certificates withblind signature is also under study. In the conventional example above,the participant subsystem needs to have the manager subsystem issue ablind signature every time the participant subsystem participates invoting, that is, for every voting session. Therefore, the followingdescribes a conventional case where a participant subsystem canparticipate in electronic voting any number of times with a singleregistration procedure.

First, the participant subsystem proves before the manager subsystemthat the participant subsystem is a participant subsystem authorized toanonymously participate, then has the manager subsystem sign its ownpublic key by section of blind signature. The public key with thissignature of the manager subsystem affixed is called “anonymouscertificate”.

Next, the participant subsystem signs the voting contents with its ownsecret key and sends the signed voting contents and the anonymouscertificate to a verification subsystem. The verification subsystemconfirms that the anonymous certificate submitted is a public key withthe signature of the manager subsystem affixed and that the signature ofthe voting statement can be correctly verified based on this public key,and when the confirmation is obtained, regards this as a votingstatement sent by an eligible voter. Whether an identical participantsubsystem has not participated in an identical voting session more thanonce is confirmed by the absence of other voting statements based on thesame anonymous certificate.

Use of blind signature makes it unknown even to the manager subsystem towhich participant subsystem an anonymous certificate has been issued,which makes it possible to maintain anonymity. However, if an identicalparticipant subsystem votes in two voting sessions using an identicalanonymous certificate, it will be revealed that the same participantsubsystem has participated.

Next, group signature will be explained below. This is a system in whicheven if two or more signatures are affixed it using an identicalanonymous certificate, whether the same signer has signed or not is keptconcealed. This technique is described in detail in a paper called“Efficient group signature schemes for large groups” in theinternational conference CRYPTO '97 by J. Camenisch and M. Stadler.

First, the participant subsystem proves before the manager subsystemthat the participant subsystem is a participant subsystem that belongsto a group authorized to participate anonymously and then has themanager subsystem issue a group secret key.

Next, data to be sent is signed with this secret key and the signed datais sent to the verification subsystem.

The verification subsystem confirms that the data submitted has asignature verifiable by a group public key affixed and when theconfirmation is obtained, this can be regarded as the data sent by aparticipant subsystem belonging to an eligible group. Use of groupsignature makes it impossible to identify the particular participantsubsystem in the group to which the group secret key used for generatingeach signature is belonged, which makes it possible to maintainanonymity.

However, with this system even if an identical participant subsystem hassent data more than once to an identical session, there is no way toverify whether the two signatures are affixed by using an identicalgroup secret key or not, and therefore this system cannot be used forapplications such as electronic voting which must prevent double voting.

A technology similar to group signature, is escrow identification, whichis described in detail in a paper called “Identity Escrow” in theinternational conference CRYPTO '98 by J. Kilian and E. Petrank.However, this technology does not provide section for determiningwhether two identification information pieces are issued from anidentical participant subsystem or not, either.

A technology called “subgroup signature” is available, which is atechnology using group signature whose number of signatures is equal tothe number of different participant subsystems. This technology isdescribed in detail in a paper called “Some open issues and newdirections in group signatures” in the international conferenceFinancial Cryptography '99 by G. Ateniese and G. Tsudik. However, sinceall participant subsystems provide signature for common data, thistechnology cannot be used for voting in which data to be sent variesfrom one participant to another.

SUMMARY OF THE INVENTION

As described above, there is no conventional technology that would allowa participant to participate in a plurality of sessions by a singleregistration procedure, detect whether there already exists data fromthe same participant, and conceal a participation relationship betweensessions even if the participant participates in a plurality of sessionswithout this being detected, so as to be used for electronic voting andelectronic bidding.

In the conventional technology where data to be sent is signed bysection of blind signature, it is necessary to conduct registrationprocessing for every session, while the conventional technology using ananonymous certificate is unable to conceal a participation relationshipbetween sessions, group signature or escrow identification is unable toverify session participation by an identical participant, and thetechnology using subgroup signature is unable to allow each participantsubsystem to create participation data independently.

The present invention has been achieved by taking into account thepoints described above and it is an object of the present invention toprovide an anonymous participation authority management system in whicha participant authorized to access or participate in a plurality ofsessions can participate anonymously without the participant's name orparticipating relationship between the sessions being revealed, whereasit is possible to determine whether the same participant hasparticipated more than once in the same session.

In other words, the present invention provides an anonymousparticipation authority management system allowing participants toparticipate in a plurality of sessions with a single registrationprocedure, detecting any identical participant who has participated inan identical session more than once, and yet concealing a participationrelationship between sessions, so as to be used for electronic voting,electronic bidding, and the like.

According to the present invention, a system includes: a participantsubsystem that is authorized to anonymously participate in a pluralityof sessions using secret information: and a reception subsystem thatdetermines whether it is acceptable for the participant subsystem toparticipate in a session, wherein the participant subsystem includes ananonymous signing section for authorizing individual data using thesecret information depending on session-related information to produceanonymous participation data with anonymous signature, and the receptionsubsystem includes: an anonymous signature determining section fordetermining whether received data is anonymous participation data withanonymous signature authorized by the participant subsystem: and asender match determining section for determining whether anonymoussignatures of arbitrary two pieces of anonymous participation data aresigned by an identical participant subsystem.

The anonymous signature may include data that is generated by apredetermined expression using the session-related information and thesecret information, wherein the sender match determining section checksthe data included in the anonymous signature of received anonymousparticipation data. The predetermined expression may be represented byraising a session-dependent base to a power that is dependent on thesecret information.

According to a first embodiment of the present invention, the anonymoussigning section may include: a generator creating section for creating asession-dependent generator depending on the session-relatedinformation; a group signing section for signing the individual datausing the session-dependent generator and the secret information toproduce anonymous participation data, wherein the anonymousparticipation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation; and a linkage data generating section for generatinglinkage data indicating a relationship among the session-dependentgenerator and a generator determined by the individual data and/or thesession-related information.

The secret information is represented by (x, y, v) that satisfies:v=(y+δ)^(1/e) mod n, where y=a^(x) mod n, n is a product of two primenumbers as used in the RSA cryptography, g is a generator that generatesa cyclic group of order n, a is an integer mutually prime to n, e is aninteger mutually prime to the Euler number of n, and δ is a constantother than 1,

the generator creating section creates a session-dependent generatorg_(A) corresponding to a session A and a generator g_(A) is generatedbased on the individual data m and/or the session A,

the group signing section sets z=g_(A) ^(y) and generates a first proofstatementV ₁ =SKLOGLOG(z,g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾]  (1)proving the knowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a secondproof statementV ₂ =SKROOTLOG(z*g _(A) ^(δ) ,g _(A) ,e)[β:z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾]  (1)proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A) ^((β) ^(e) ⁾,

the linkage data generating section sets z₁=g_(m) ^(γ), and generates athird proof statementV ₃ =SKREP(z ₁ /z,g _(m) /g _(A))[γ:z ₁ /z=(g _(m) /g _(A))^(γ)]  (1)proving the knowledge of z₁ and z have the same power to the bases g_(m)and g_(A), respectively, wherein the anonymous participation data isdefined as (A, m, z, z₁, V₁, V₂, V₃). In this case, the anonymoussignature determining section checks V₁, V₂, and V₃ of the anonymousparticipation data to determine whether received data is anonymousparticipation data with anonymous signature authorized by theparticipant subsystem. The sender match determining section checks z ofthe anonymous participation data to determine whether anonymoussignatures of arbitrary two pieces of anonymous participation data aresigned by an identical participant subsystem.

According to a second embodiment, the anonymous signing section mayinclude: a generator creating section for creating a generator dependingon the session-related information; and a group signing section forsigning the individual data using the generator and the secretinformation to produce anonymous participation data, wherein theanonymous participation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation.

In the case where he secret information is represented by (x, y, v) thatsatisfies: v=(y+δ)^(1/e) mod n, where y=a^(x) mod n, the individual datais denoted by m, n is a product of two prime numbers as used in the RSAcryptography, g is a generator that generates a cyclic group of order n,a is an integer mutually prime to n, e is an integer mutually prime tothe Euler number of n, and δ is a constant: other than 1,

the generator creating section creates a session-dependent generatorg_(A) corresponding to a session A,

the group signing section sets z=g_(A) ^(γ) and generates a first proofstatementV ₁ =SKLOGLOG(z,g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾](m)proving the knowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a secondproof statementV ₂ =SKROOTLOG(z*g _(A) ^(δ) ,g _(A) ,e)[β:z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾](m)proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A) ^((β) ^(e) ⁾,wherein the anonymous participation data 13 is designated as (A, m, z,V₁, V₂).

According to a third embodiment of the present invention, the anonymoussigning section may include: a generator creating section for creating asession-dependent generator depending on the session-relatedinformation; an escrow identifying section for signing the individualdata using the session-dependent generator and the secret information toproduce anonymous participation data, wherein the anonymousparticipation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation; and a linkage data generating section for generatinglinkage data indicating a relationship among the session-dependentgenerator and a generator determined by the individual data and/or thesession-related information.

The secret information is represented by (a, b) that satisfiesb=(a^(a)−δ)^(1/a) mod n, where n is a product of two prime numbers asused in the RSA cryptography, g is a generator that generates a cyclicgroup of order n, a is an integer mutually prime to n, e is an integermutually prime to the Euler number of n, and δ is a constant other than1,

the generator creating section creates a session-dependent generatorg_(A) corresponding to a session A and a generator g_(m) is generatedbased on the individual data m and/or the session A,

the escrow identifying section sets z_(α)=g_(A) ^((a) ^(e) ⁾ andgenerates a first proof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α:z _(a) =g _(A) ^((a) ^(e) ⁾]  (1)proving the knowledge of α satisfying z_(a)=g_(A) ^((a) ^(e) ⁾, and setsz_(b)=g_(A) ^((b) ^(e) ⁾ and generates a second proof statementV ₂ =SKROOTLOG(z _(b) ,g _(A) ,e)[β:z _(b) =g _(A) ^((b) ^(e) ⁾]  (1)proving the knowledge of β satisfying z_(b)=g_(A) ^((b) ^(e) ⁾, and

the linkage data generating section sets z_(a)=g_(m) ^((a) ^(e) ⁾ andgenerates a third proof statementV ₃ =SKREP(z _(c) /z _(a) ,g _(m) /g _(A))[γ:z _(c) /z _(a)=(g _(m) /g_(A))^(γ)]  (1)proving the knowledge of z_(a) and z_(c) having the same power to thebases g_(A) and g_(m), respectively, wherein the anonymous participationdata is defined as (A, m, z_(a), z_(b), z_(c), V₁, V₂, V₃). In thiscase, the anonymous signature determining section determines whetherz_(a)*z_(b)=g_(A) ^(δ) is satisfied and, checks V₁, V₂, and V₃ of theanonymous participation data to determine whether received data isanonymous participation data with anonymous signature authorized by theparticipant subsystem. The sender match determining section checks oneof z_(a) and z_(b) of the anonymous participation data to determinewhether anonymous signatures of arbitrary two pieces of anonymousparticipation data are signed by an identical participant subsystem.

According to a fourth embodiment of the present invention, the anonymoussigning section may include: a generator creating section for creating asession-dependent generator depending on the session-relatedinformation; and an escrow identifying section for signing theindividual data using the session-dependent generator and the secretinformation to produce anonymous participation data, wherein theanonymous participation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation.

The secret information is represented by (a, b) that satisfiesb=(a^(e)−δ)^(1/e) mod n, where n is a product of two prime numbers asused in the RSA cryptography, g is a generator that generates a cyclicgroup of order n, a is an integer mutually prime to n, e is an integermutually prime to the Euler number of n, and δ is a constant other than1,

the generator creating section creates a session-dependent generatorg_(A) corresponding to a session A,

the escrow identifying section sets z_(a)=g_(A) ^((a) ^(e) ⁾ andgenerates a first proof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α:z _(a) =g _(A) ^((a) ^(e) ⁾]  (m)proving the knowledge of α satisfying z_(a)=g_(A) ^((a) ^(e) ⁾, and setsz_(b)=g_(A) ^((b) ^(e) ⁾ and generates a second proof statementV ₂ =SKROOTLOG(z _(b) ,g _(A) ,e)[β:z _(b) =g _(A) ^((b) ^(e) ⁾]  (m)proving the knowledge of β satisfying z_(b)=g_(A) ^((b) ^(e) ⁾, whereinthe anonymous participation data is defined as (A, m, z_(a), z_(b), V₁,V₂).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a configuration of an embodiment of aparticipant subsystem according to the present invention;

FIG. 2 is a block diagram showing a configuration of an embodiment of areception subsystem according to the present invention;

FIG. 3 is a block diagram showing a configuration of an embodiment of asystem according to the present invention;

FIG. 4 is a block diagram of a participant subsystem showing aconfiguration of a first embodiment of an anonymous signature functionaccording to the present invention;

FIG. 5 is a block diagram of a participant subsystem showing aconfiguration of a second embodiment of an anonymous signature functionaccording to the present invention;

FIG. 6 is a block diagram of a participant subsystem showing aconfiguration of a third embodiment of the anonymous signature functionaccording to the present invention; and

FIG. 7 is a block diagram of a participant subsystem showing aconfiguration of a fourth embodiment of the anonymous signature functionaccording to the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In order to clarify the objects, features and advantages of the presentinvention, embodiments of the present invention will be explained indetail below with reference to the attached drawings. A schematic systemaccording to an embodiment of the present invention is shown in FIG. 1to FIG. 3. FIG. 1 shows a participant subsystem 101 and FIG. 2 shows areception subsystem 102. FIG. 3 shows a conceptual diagram of thesystem.

For example, in the case where this anonymous participation authoritymanagement system is applied to a voter management system in electronicvoting, the participant subsystem corresponds to a voter subsystem andeach eligible voter is given secret information from a manager subsystembeforehand and the reception subsystem performs voting reception.

A session corresponds to each election event (nationwide election, localgovernment election, etc.) and session-related information includesinformation specifying the election session and is information common toall or a certain range of voters (e.g., voters in the same electionadministrative area), and individual data is voting data, which variesfrom one voter to another. Unlike conventional “digital signature” inwhich a signer name is identified, in “anonymous signature”, a signername is not identified and remains anonymous, but the “anonymoussignature” indicates that it assures (authorizes) as a signature thatdata has been certainly created by an anonymous person who hasparticipation authority and has not been tampered by other people. Thereare two kinds of digital signature systems, one in which data to besigned is expressly separated from signature data, and the other inwhich data to be signed is indirectly included in signature data. Thus,suppose the anonymous signature, or participation data with an anonymoussignature assigned described here includes data subject to anonymoussignature.

With reference to FIG. 1 and FIG. 2, this participant subsystem 101 hassecret information 10 given by communicating beforehand with the managersubsystem 100 in secret information retaining section 20, generatesanonymous participation data 13 obtained by authorizing through theanonymous signature function 21 session-related information 11 of thesession in which the participant wants to participate and individualdata 12 which is to be entered in the session in which the participantwants to participate using a secret key 10 retained in the secret keyretaining section 20 and anonymously sends this anonymous participationdata 13 to the reception subsystem 102.

The reception subsystem 102 receives this participation data andverifies through the anonymous signature verifying section 30 that thisincludes the individual data authorized by the participant subsystemauthorized to anonymously participate in the relevant session.

Then, it is determined whether the participant previously participatedin the session or not using the sender match determining section 31 thatdetermines whether the received participation data is sent or not by thesame participant subsystem that sent the participation data.

In the case of voting, if the participant did not participate before,the relevant participation data sent is accepted and if the participantparticipated before, this is accepted and notified.

Or it is also possible to receive all verified data first and thenaccept only the data that the sender match determining section 31 hasconfirmed that the same participant subsystem is not found in thereceived participation data.

In other cases such as bidding, it is also possible to accept only thedata involved in the first participation or validate the latestparticipation data or select only one from the participation data of thesame participant subsystem and validate according to a certain standard.Of course, verification of participation data using the anonymoussignature verifying section can be performed at any time afterreception.

Furthermore, in the case where this anonymous participation authoritymanagement system is applied to a bidder management system of electronicbidding; the participant subsystem corresponds to a bidder subsystem andeach eligible bidder is given secret information from the managersubsystem beforehand and the reception subsystem performs biddingreception.

The session corresponds to each bidding item, session-relatedinformation includes information that specifies the bidding session andis information common to all bidders, and individual data corresponds tobidding data which varies from one bidder to another.

For example, in the case where this anonymous participation authoritymanagement system is applied to an applicant management system inelectronic lottery, the participant subsystem corresponds to theapplicant subsystem, each eligible applicant is given secret informationfrom the manager subsystem beforehand and the reception subsystemperforms application reception.

The session corresponds to each lottery item, session-relatedinformation includes information that specifies the lottery session andis information common to all applicants, and individual data correspondsto application data which varies from one applicant to another.

First Embodiment

As shown in FIG. 4, a case where group signature is applied will bedescribed as a specific example. Operation of this embodiment will beexplained below.

As group signature, a system which J. Camenisch and M. Stadlerintroduced in a paper called “Efficient group signature schemes forlarge groups” in the international conference CRYPTO '97 is known.

As described in the above document, common constants (g, a, e, n, δ) arerequired where n is a product of two prime numbers as used in the RSAcryptography, g is a generator that generates a cyclic group of order n,a is an integer mutually prime to n, e is an integer mutually prime tothe Euler number of n, and δ is a constant other than 1.

Then, the manager system 100 generates these common constants anddesignates the prime factor of n as the secret information of themanager system. The method of generating these common constants isdescribed in detail in the above document.

Given the above common constants (g, a, e, n, δ), each participantsubsystem 101 communicates with a manager system that knows the primefactor of n and thereby acquires secret information 10 (x, y, v) thatsatisfies:v=(y+δ)^(1/e) mod n

-   -   where y=a^(x) mod n.

Here, as the method of acquiring the secret information (x, y, z), themanager system may generate all the information and distribute it toparticipant subsystems, or each participant subsystem may present only ywhile keeping x a secret and have the manager system calculate v from y.Furthermore, it is also possible to acquire the secret information (x,y, v) by using a blind signature technique without even revealing y.

Then, the proof system which will be used below will be explained first.SKREP(y,g)[α:y=g ^(α)](m)means proving the knowledge of α satisfying y=g^(α) using (y, g, m),where m is an arbitrary number.SKLOGLOG(y,g,a)[α:y=g ^((a) ^(α) ⁾](m)means proving the knowledge of α satisfying y=g^((a) ^(α) ⁾ using (y, g,a, m), where m is an arbitrary number.

Next,SKROOTLOG(y,g,e)[α:y=g ^((α) ^(e) ⁾](m)means proving the knowledge of α satisfying y=g^((α) ^(e) ⁾ using (y, g,e, m), where m is an arbitrary number.

Since the method of creating a specific proof statement and the methodof verifying the proof statement are described in detail in the abovedocument, and these methods are not directly related to the presentinvention, they are not further described here.

Then, the calculation as shown in FIG. 4 will be carried out as theanonymous signature function 21 using session management information A(11) and individual data m (12).

First, a generator g_(A) corresponding to session A is acquired by thegenerator creating section 52 and then g_(m) is generated byg_(m)=Hash(m).

Then, the group signing section 51 sets z=g_(A) ^(y) and generates aproof statementV ₁ =SKLOGLOG(z,g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾]  (1)proving the knowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a proofstatementV ₂ =SKROOTLOG(z*g _(A) ^(δ) ,g _(A) ,e)[β:z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾]  (1)proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A) ^((β) ^(e) ⁾.

Here, constant 1 to be input to SKLOGLOG and SKROOTLOG is given assession-related information and is a constant to become the output fromthe external data inputting section 50.

Then, the linkage data generating section 53 sets z₁=g_(m) ^(y) andgenerates a proof statementV ₃ =SKREP(z ₁ /z,g _(m) /g _(A))[γ:z ₁ /z=(g _(m) /g _(A))^(γ)]  (1)proving the knowledge of z₁ and z have the same power to the bases g_(m)and g_(A), respectively.

As the output of the above processing, participation data 13 isdesignated as (A, m, z, z₁, V₁, V², V₃). In the case where A isapparent, A need not particularly be added to the participation data.

Furthermore, in the generator creating section 52, g_(A) can also begiven as part of the session-related information or it can be generatedas g_(A)=Hash(A).

The reception subsystem that has received this participation data 13acquires g_(A) from A and confirms through the anonymous signatureverifying section 30 that the certification statements V₁, V₂ and V₃ arevalid.

Then, when the same z exists in a plurality of participation data, thesender match determining section 31 can determine that theseparticipation data have been sent by the same participant subsystem.This is because z included in the participation data from the sameparticipant subsystem is identical with respect to the same sessionirrespective of the value of the individual data m.

As shown above, when the participant subsystem participates in adifferent session using the same secret information 10 (x, y, v), thelinkage is not ascertained (because it is difficult to discriminatenumbers obtained by raising different bases to same power from numbersobtained by other calculations). When the participant subsystemparticipates in the same session, it is possible to construct ananonymous participation authority management system in which the linkageis ascertained. Furthermore, a system of invalidating the issuedanonymous participation secret information is also described in theabove document.

Furthermore, it is easy for those skilled in the art to think ofvariations of the above system. For example, even if g_(m) is generatedby g_(m)=Hash(A∥m) through the generator creating section 52, the effectremains unchanged. Here, “∥” denotes concatenation. Furthermore, ifg_(A) and g_(m) are generators over a finite field, which is uniquelydetermined by A and m, respectively, or A or A and m, g_(A) and g_(m)need not use any hash function. Moreover, constant (1) is used as anexample of the output of the external data inputting section 50 togenerate V₁, V₂ and V₃, but any number or any variable such as g_(A),g_(m), y and z can be used if agreed to do so beforehand.

Furthermore, it is also possible to change the manner in which g_(m) andg_(A) are used by the generator creating section 52. For example, thegenerator creating section 52 may generate g_(m)=Hash(m) from individualdata m, and generate g_(A) by g_(A)=Hash(A) using session-relatedinformation A. Next, the group signing section 51 may set z₂=g_(m) ^(y),and generate a proof statement V₁=SKLOGLOG(z₂,g_(m),a)[α:z₂=g_(m) ^((a)^(α) ⁾](1) proving the knowledge of α satisfying z₂=g_(m) ^((a) ^(α) ⁾,and a proof statement V₂=SKROOTLOG(z₂*g_(m) ^(δ),g_(m),e)[β:z₂*g_(m)^(δ)=g_(m) ^((β) ^(e) ⁾](1) proving the knowledge of β satisfyingz₂*g_(m) ^(δ)=g_(m) ^((β) ^(e) ⁾. Finally, the linkage data generatingsection 52 may set z₃=g_(A) ^(y) and generate a proof statementV₃SKREP(z₂/z₃, g_(m)/g_(A)) [γ: z₂/z₃=(g_(m)/g_(A))^(γ)](1) proving theknowledge of z₂ and z₃ having the same power to the bases g_(m) andg_(A), respectively. The participation data 13 is then designated as (A,m, z₂, z₃, V₁, V₂, V₃). However, the effect remains the same.

In this case, the sender match determining section 31 will check whetherz₃ in the participation data duplicates.

Second Embodiment

Furthermore, there can also be an example seeking to improve theefficiency. An anonymous signature function 21 using session managementinformation A and individual data m will be explained with reference tothe participant subsystem 101A in FIG. 5,

Referring to FIG. 5, the generator creating section 52 acquires agenerator g_(A) corresponding to session A. Next, the output from theexternal data inputting section 62 is set to m. The group signingsection 61 sets z=g_(A) ^(y) and generates a proof statementV ₁ SKLOGLOG(z,g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾]  (m)proving the knowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a proofstatementV ₂ =SKROOTLOG(z*g _(A) ^(δ),g_(A) ,e)[β:z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾]  (m)proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A) ^((β) ^(e) ⁾.The participation data 13 is designated as (A, m, z, V₁, V₂). In thecase where A is apparent, A need not particularly be added to theparticipation data. Furthermore, g_(A) can also be given together with Aor generated as g_(A)=Hash(A).

In this case, the participation data is not only shortened but it isnecessary to verify the validity of only proof statements V₁ and V₂ bythe anonymous signature verifying section 30, which will improve theefficiency. Moreover, the output from the external data inputtingsection 62 need not be made dependent solely on the individual data butcan also include session management information A, if it is alsoincluded during verification.

Third Embodiment

The system can also be designed based on an escrow identificationsystem. The escrow identification technique is described in detail by J.Kilian and E. Peltrank in a paper called “Identity Escrow” in theinternational conference CRYPTO '98.

In this example, as described above, common constants (g, a, e, n, δ)are required where n is a product of two prime numbers used in RSAcryptography, g is a generator that generates a cyclic group of order n,e is an integer mutually prime to the Euler number of n, δ is a constantother than 1. Then, the manager system generates these common constantsand designates the prime factor of n as the secret information of themanager system.

Given the above common constants (g, e, n, δ), each participantsubsystem communicates with a manager system that knows the prime factorof n and thereby acquires secret information 10 (a, b) that satisfiesb=(a^(e)−δ)^(1/e) mod n.

Here, as the method of acquiring the secret information (a, b), it ispossible for the manager system to generate all the information anddistribute it to participant subsystems or it is possible to acquire thesecret information (a, b) by even hiding a using a blind signaturetechnique.

In the following example, supposing an anonymous signature function 21using session management information A and individual data m, thefollowing operation is performed by the participant subsystem 101B asshown in FIG. 6.

Referring to FIG. 6, a generator g_(A) corresponding to session A isacquired by the generator creating section 52 and then g_(m) isgenerated by g_(m)=Hash(m).

Next, the escrow identifying section 81 sets z_(a)=g_(A) ^((a) ^(e) ⁾and generates a proof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α:z _(a) =g _(A) ^((a) ^(e) ⁾]  (1)proving the knowledge of α satisfying z_(a)=g_(A) ^((a) ^(e) ⁾, and setsz_(b)=g_(A) ^((b) ^(e) ⁾ and generates a proof statementV ₂ =SKROOTLOG(z _(e) ,g _(A) ,e)[β:z _(b) =g _(A) ^((b) ^(e) ⁾]  (1)proving the knowledge of β satisfying z_(b)=g_(A) ^((b) ^(e) ⁾.

Then, the linkage data generating section 53 sets z_(c)=g_(m) ^((a) ^(e)⁾ and generates a proof statementV ₃ =SKREP(z _(c) /z _(a) ,g _(m) /g _(A))[γ:z _(c) /z _(a)=(g _(m) /g_(A))^(γ)](1)proving the knowledge of z_(a) and z_(n) having the same power to thebases g_(A) and g_(m), respectively. The participation data 13 isdesignated as (A, m, z_(a), z_(b), z_(c), V₁, V₂, V₃). In the case whereA is apparent, A need not particularly be added to the participationdata. Furthermore, g_(A) can be given as part of the session-relatedinformation or it can also be generated as g_(A)=Hash(A).

The reception subsystem that has received this participation data 13acquires g_(A) from A and confirms through the anonymous signatureverifying section 30 that z_(a)/z_(b)=g_(A) ^(δ) is satisfied and proofstatements V₁, V₂ and V₃ are valid.

Then, when the same z_(a) exists in a plurality of participation data,the sender match determining section 31 can determine that theseparticipation data have been sent by the same participant subsystem.This is because z_(a) included in the participation data from the sameparticipant subsystem is identical with respect to the same sessionirrespective of the value of the individual data m.

Furthermore, even if the sender match determining section 31 detectsz_(b) instead of z_(a), the same effect is obtained.

As shown above, when the participant subsystem participates in adifferent session using the same secret information 10 (a, b), thelinkage is not ascertained (because it is difficult to distinguishnumbers obtained by raising the different bases to the same power fromnumbers obtained by other calculations). It is possible to construct ananonymous participation authority management system in which the linkageis ascertained when the participant subsystem participates in the samesession. Furthermore, unlike the aforementioned example, the efficiencyis improved by using only SKROOTLOG, which is more efficient thanSKLOGLOG.

Furthermore, a system of invalidating the issued secret information foranonymous participation is also discussed in the above document.

Furthermore, it is easy for those skilled in the art to think ofvariations of the above system. For example, even if g_(m) is generatedby g_(m)=Hash(A∥m) through the generator creating section 52, the effectremains unchanged. Here, “∥” denotes concatenation. Furthermore, ifg_(A) and g_(m) are generators over a finite field, which is uniquelydetermined by A and m, respectively, or A or A and m, g_(A) and g_(m)need not use any hash function. Moreover, constant (1) is used as anexample of the output of the external data inputting section 50 togenerate V₁, V₂ and V₃, but any number or any variable such as g_(A),g_(m), y and z can be used if agreed to do so beforehand.

Furthermore, it is also possible to change the manner in which g_(m) andg_(A) are used by the generator creating section 52. For example, thegenerator creating section 52 may generate g_(A) by g_(A)=Hash(A) usingsession-related information A, and g_(m)=Hash(m) from individual data m.Next, the escrow identifying section 81 may set z_(a)=g_(m) ^((a) ^(e) ⁾and generate a proof statement V₁=SKROOTLOG (z_(a),g_(m),e)[α:z_(a)=g_(m) ^((a) ^(e) ⁾](1) proving the knowledge of α satisfyingz_(a)=g_(m) ^(a) ^(e) ⁾, and set z_(b)=g_(m) ^((b) ^(e) ⁾ and generate aproof statement V₂=SKROOTLOG (z_(b),g_(m),e)[β:z_(b)=g_(m) ^((b) ^(e)⁾](1) proving the knowledge of β satisfying z_(b)=g_(m) ^((b) ^(e) ⁾.

Finally, the link data generating section 53 may set z_(c)=g_(A) ^((a)^(e) ⁾ and generate a proof statement V₃=SKREP(z_(c)/z_(a),g_(A)/g_(m))[γ: z_(c)/z_(a)=(g_(A)/g_(m))^(γ]()1) provingthe knowledge of z_(a) and z_(c) having the same power to the basesg_(m) and g_(A), respectively. The participation data 13 is thendesignated as (A, m, z_(a), z_(b), z_(c), V₁, V₂, V₃). However, theeffect remains the same.

In this case, the sender match determining section 31 will check whetherz_(o) in the participation data duplicates.

Fourth Embodiment

Furthermore, there can also be an example seeking to improve theefficiency. An anonymous signature function 21 using session managementinformation A and individual data m will be explained with reference tothe participant subsystem 101C in FIG. 7.

Referring to FIG. 7, the generator creating section 60 acquires agenerator g_(A) corresponding to session A.

Next, the output from the external data inputting section 62 is set tom. The escrow identifying section 91 sets z_(a)=g_(A) ^((α) ^(e) ⁾ andgenerates a proof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α:z _(a) =g _(A) ^((α) ^(e) ⁾]  (m)proving the knowledge of α satisfying z_(a)=g_(A) ^((α) ^(e) ⁾, and setsz_(b)=g_(A) ^((β) ^(e) ⁾ and generate a proof statementV ₂ =SKROOTLOG(z _(b) ,g _(A) ,e)[β:z _(b) =g _(A) ^((β) ^(e) ⁾]  (m)proving the knowledge of β satisfying z_(b)=g_(A) ^((β) ^(e) ⁾. Theparticipation data 13 is then designated as (A, m, z_(a), z_(b), V₁,V₂). In the case where A is apparent, A need not particularly be addedto the participation data. Furthermore, g_(A) can also be given togetherwith A or generated as g_(A)=Hash(A).

In this case, the participation data is not: only shortened but it isnecessary to verify the validity of only proof statements V₁ and V₂ bythe anonymous signature verifying section 30, which will improve theefficiency,

Another merit of this example is that secret information specific to thereception system is not necessary in the anonymous signature verifyingsection and sender match determining section. Therefore, if allparticipation data is disclosed to the public in order to verify thevalidity of electronic voting, everybody can verify that allparticipation data are votes of valid eligible voters and no identicaleligible voter has performed double voting. Such a system can also beapplied to an electronic petition.

In electronic bidding, there can be such illegality that a receptionsystem receives a plurality of participation data (bidding data) from aspecific participant subsystem and leaves the most advantageous datafrom among those data later. In this case, even if everybody can use thesender match determining section, it is not possible to detect thisillegality. In this case, before unsealing (that is, before it is foundwhich data is advantageous), the received participation data isidentified and made unchangeable or a receipt for the receivedparticipation data is issued in a form dependent on the previousparticipation data, and if the participation data is deleted, there willbe a mismatch with the receipts of other participants, thus disclosingthe illegality.

This embodiment is introduced as an operation on a general number field,but it is obvious to those skilled in the art that even if thisembodiment is read as an operation on an elliptic curve or as anoperation on another group or field, the same effect can be obtained.

It is apparent that the present invention is not limited to each of theabove embodiments but can be modified in various manners withoutdeparting from the spirit and/(or scope of the technological concept ofthe present invention.

As described above, the present invention provides an anonymousparticipation authority management system that allows a participantsubsystem to anonymously participate in a plurality of sessions with asingle registration procedure with a manager subsystem so as to be madeavailable for electronic voting or electronic bidding, while concealingthe participation relationship between sessions, and that allows areception subsystem to verify that the participation data is data sentby an eligible participant subsystem authorized to participate andidentify any duplicate participation data from the same participantsubsystem.

1. A system comprising: a participant subsystem that is authorized toanonymously participate in a plurality of sessions using secretinformation provided by a manager subsystem, all of said secretinformation being transmitted to the participant subsystem prior toparticipation in a first of said plurality of sessions, said secretinformation enabling participation in each of the plurality of sessions;and a reception subsystem; wherein the participant subsystem comprises:an anonymous signing section for authorizing particular individual datausing the secret information depending on session-related information toproduce anonymous participation data with an anonymous signature;wherein the reception subsystem comprises: an anonymous signaturedetermining section for determining whether received data is saidanonymous participation data with said anonymous signature; and a sendermatch determining section for determining whether anonymous signaturesof two different pieces of anonymous participation data representing twodifferent contents of individual data that are received in a samesession of said plurality of sessions are signed by an identicalparticipant subsystem; and wherein participation by said participantsubsystem in a plurality of different sessions is concealed from saidreception subsystem.
 2. The system according to claim 1, wherein theanonymous signature includes data that is generated by a predeterminedexpression using the session-related information and the secretinformation, wherein the sender match determining section checks thedata included in the anonymous signature of received anonymousparticipation data.
 3. The system according to claim 2, wherein thepredetermined expression is represented by raising a session-dependentbase to a power that is dependent on the secret information.
 4. Thesystem according to claim 1, wherein the anonymous signing sectionauthorizes the particular individual data based on a group signaturescheme.
 5. The system according to claim 1, wherein the anonymoussigning section authorizes the particular individual data based on anescrowed identity scheme.
 6. The system according to claim 1, whereinthe anonymous signing section comprises: a generator creating sectionfor creating a session-dependent generator depending on thesession-related information; a group signing section for signing theparticular individual data using the session-dependent generator and thesecret information to produce the anonymous participation data, whereinthe anonymous participation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation; and a linkage data generating section for generatinglinkage data indicating a relationship among the session-dependentgenerator and a generator determined by the particular individual dataand/or the session-related information.
 7. The system according to claim6, wherein the secret information is represented by (x, y, v) thatsatisfies: y=(y+δ)^(1/e) mod n, where y=a^(x) mod n, n is a product oftwo prime numbers as used in the RSA cryptography, g is a generator thatgenerates a cyclic group of order n, a is an integer mutually prime ton, e is an integer mutually prime to the Euler number of n, and δ is aconstant other than 1, the generator creating section creates asession-dependent generator g_(A) corresponding to a session A and agenerator g_(m) is generated based on the individual data m and/or thesession A, the group signing section sets z=g_(A) ^(y) and generates afirst proof statementV ₁ =SKLOGLOG(z, g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾]  (1) proving theknowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a second proofstatementV ₂ =SKROOTLOG(z*g _(A) ^(δ) ,g _(A) ,e)[β: z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾]  (1) proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A)^((β) ^(e) ⁾, the linkage data generating section sets z₁=g_(m) ^(y),and generates a third proof statementV ₃ =SKREP(z ₁ /z, g _(m) /g _(A))[γ: z ₁ /z=(g _(m) /g _(A))^(γ)]  (1)proving the knowledge of z₁ and z have the same power to the bases g_(m)and g_(A), respectively, wherein the anonymous participation data isdefined as (A, m, z, z₁, V₁, V₂, V₃).
 8. The system according to claim7, wherein the anonymous signature determining section checks V₁, V₂,and V₃ of the anonymous participation data to determine whether thereceived data is the anonymous participation data with the anonymoussignature, and the sender match determining section checks z of theanonymous participation data to determine whether the anonymoussignatures of the two different pieces of anonymous participation datarepresenting the two different contents of individual data that arereceived in the same session of said plurality of sessions are signed bythe identical participant subsystem.
 9. The system according to claim 1,wherein the anonymous signing section comprises: a generator creatingsection for creating a generator depending on the session-relatedinformation; a group signing section for signing the particularindividual data using the generator and the secret information toproduce the anonymous participation data, wherein the anonymousparticipation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation.
 10. The system according to claim 9, wherein the secretinformation is represented by (x, y, v) that satisfies: v=(y+δ)^(1/e)mod n, where y=a^(x) mod n, the individual data is denoted by m, n is aproduct of two prime numbers as used in the RSA cryptography, g is agenerator that generates a cyclic group of order n, a is an integermutually prime to n, e is an integer mutually prime to the Euler numberof n, and δ is a constant other than 1, the generator creating sectioncreates a session-dependent generator g_(A) corresponding to a sessionA, the group signing section sets z=g_(A) ^(y) and generates a firstproof statementV ₁ =SKLOGLOG(z,g _(A) ,a)[α:z=g _(A) ^((a) ^(α) ⁾]  (m) proving theknowledge of α satisfying z=g_(A) ^((a) ^(α) ⁾, and a second proofstatementV ₂ =SKROOTLOG(z*g _(A) ^(δ) ,g _(A) ,e)[β: z*g _(A) ^(δ) =g _(A) ^((β)^(e) ⁾]  (m) proving the knowledge of β satisfying z*g_(A) ^(δ)=g_(A)^((β) ^(e) ⁾, wherein the anonymous participation data is designated as(A, m, z, V₁, V₂).
 11. The system according to claim 10, wherein theanonymous signature determining section checks V₁, and V₂ of theanonymous participation data to determine whether the received data isthe anonymous participation data with the anonymous signature, and thesender match determining section checks z of the anonymous participationdata to determine whether the anonymous signatures of the two differentpieces of anonymous participation data representing the two differentcontents of individual data that are received in the same session ofsaid plurality of sessions are signed by the identical participantsubsystem.
 12. The system according to claim 1, wherein the anonymoussigning section comprises: a generator creating section for creating asession-dependent generator depending on the session-relatedinformation; an escrow identifying section for signing the particularindividual data using the session-dependent generator and the secretinformation to produce the anonymous participation data, wherein theanonymous participation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation; and a linkage data generating section for generatinglinkage data indicating a relationship among the session-dependentgenerator and a generator determined by the individual data and/or thesession-related information.
 13. The system according to claim 12,wherein the secret information is represented by (a, b) that satisfiesb=(a^(e)−δ)^(1/e) mod n, where n is a product of two prime numbers asused in the RSA cryptography, g is a generator that generates a cyclicgroup of order n, a is an integer mutually prime to n, e is an integermutually prime to the Euler number of n, and δ is a constant other than1, the generator creating section creates a session-dependent generatorg_(A) corresponding to a session A and a generator g_(m) is generatedbased on the individual data m and/or the session A, the escrowidentifying section sets z_(a)=g_(A) ^((a) ^(e) ⁾ and generates a firstproof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α: z _(a) =g _(A) ^((a) ^(e) ⁾]  (1)proving the knowledge of α satisfying z_(a)=g_(A) ^((a) ^(e) ⁾, and setsz_(b)=g_(A) ^((b) ^(e) ⁾ and generates a second proof statementV ₂ =SKROOTLOG(z _(b) ,g _(A) ,e)[β: z _(b) =g _(A) ^((b) ^(e) ⁾]  (1)proving the knowledge of β satisfying z_(b)=g_(A) ^((b) ^(e) ⁾, and thelinkage data generating section sets z_(c)=g_(m) ^((a) ^(e) ⁾ andgenerates a third proof statementV ₃ =SKREP(z _(c) /z _(a) ,g _(m) /g _(A))[γ: z _(c) /z _(a)=(g _(m) /g_(A))^(γ)]  (1) proving the knowledge of z_(a) and z_(c) having the samepower to the bases g_(A) and g_(m), respectively, wherein the anonymousparticipation data is defined as (A, m, z_(a), z_(b), z_(c), V₁, V₂,V₃).
 14. The system according to claim 13, wherein the anonymoussignature determining section determines whether z_(a)/z_(b)=g_(A) ^(δ)is satisfied and checks V₁, V₂, and V₃ of the anonymous participationdata to determine whether the received data is the anonymousparticipation data with the anonymous signature, and the sender matchdetermining section checks one of z_(a) and z_(b) of the anonymousparticipation data to determine whether the anonymous signatures of thetwo different pieces of anonymous participation data representing thetwo different contents of individual data that are received in the samesession of said plurality of sessions are signed by the identicalparticipant subsystem.
 15. The system according to claim 1, wherein theanonymous signing section comprises: a generator creating section forcreating a session-dependent generator depending on the session-relatedinformation; and an escrow identifying section for signing theparticular individual data using the session-dependent generator and thesecret information to produce the anonymous participation data, whereinthe anonymous participation data includes data obtained by raising thesession-dependent generator to a power determined by the secretinformation.
 16. The system according to claim 15, wherein the secretinformation is represented by (a, b) that satisfies b=(a^(e)−δ)^(1/e)mod n, where n is a product of two prime numbers as used in the RSAcryptography, g is a generator that generates a cyclic group of order n,a is an integer mutually prime to n, e is an integer mutually prime tothe Euler number of n, and δ is a constant other than 1, the generatorcreating section creates a session-dependent generator g_(A)corresponding to a session A, the escrow identifying section setsz_(a)=g^(A) ^((a) ^(e) ⁾ and generates a first proof statementV ₁ =SKROOTLOG(z _(a) ,g _(A) ,e)[α: z _(a) =g _(A) ^((a) ^(e) ⁾]  (m)proving the knowledge of α satisfying z_(a)=g_(A) ^((a) ^(e) ⁾, and setsz_(b)=g_(A) ^((b) ^(e) ⁾ and generates a second proof statementV ₂ =SKROOTLOG(z _(b) ,g _(A) ,e)[β: z _(b) =g _(A) ^((b) ^(e) ⁾]  (m)proving the knowledge of β satisfying z_(b)=g_(A) ^((b) ^(e) ⁾, whereinthe anonymous participation data is defined as (A, m, z_(a), z_(b), V₁,V₂).
 17. The system according to claim 16, wherein the anonymoussignature determining section determines whether z_(a)/z_(b)=g_(A) ^(δ)is satisfied and checks V₁ and V₂ of the anonymous participation data todetermine whether the received data is the anonymous participation datawith the anonymous signature, and the sender match determining sectionchecks one of z_(a) and z_(b) of the anonymous participation data todetermine whether the anonymous signatures of the two different piecesof anonymous participation data representing the two different contentsof individual data that are received in the same session of saidplurality of sessions are signed by the identical participant subsystem.18. An anonymous participation authority management method for a system,the system comprising a participant subsystem that is authorized toanonymously participate in a plurality of sessions using secretinformation and a reception subsystem, the method comprising: at theparticipant subsystem, a) authorizing particular individual data usingthe secret information depending on session-related information toproduce anonymous participation data with an anonymous signature, all ofsaid secret information being transmitted to the participant subsystemprior to participation in a first of said plurality of sessions, saidsecret information enabling participation in each of the plurality ofsessions; at the reception subsystem, b) determining whether receiveddata is said anonymous participation data with said anonymous signature;and c) determining whether anonymous signatures of two different piecesof anonymous participation data representing two different contents ofindividual data that are received in a same session of the plurality ofsessions are signed by an identical participant subsystem; whereinparticipation by said participant subsystem in a plurality of differentsessions is concealed from said reception subsystem.
 19. The methodaccording to claim 18, wherein the anonymous signature includes datathat is generated by a predetermined expression using thesession-related information and the secret information, wherein the step(c) is performed by checking the data included in the anonymoussignature of the received anonymous participation data.
 20. The methodaccording to claim 19, wherein the predetermined expression isrepresented by raising a session-dependent base to a power that isdependent on the secret information.
 21. The method according to claim18, wherein the step (a) comprises the steps of: creating asession-dependent generator depending on the session-relatedinformation; signing the particular individual data using thesession-dependent generator and the secret information to produce theanonymous participation data, wherein the anonymous participation dataincludes data obtained by raising the session-dependent generator to apower determined by the secret information; and generating linkage dataindicating a relationship among the session-dependent generator and agenerator determined by the particular individual data and/or thesession-related information.
 22. The method according to claim 18,wherein the step (a) comprises the steps of: creating asession-dependent generator depending on the session-relatedinformation; and signing the particular individual data using thesession-dependent generator and the secret information to produce theanonymous participation data, wherein the anonymous participation dataincludes data obtained by raising the session-dependent generator to apower determined by the secret information.